[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Please review proposals for LDAP controls

To: rweltman@netscape.com (Rob Weltman)
Subject: Re: Please review proposals for LDAP controls
From: "Kurt D. Zeilenga" <Kurt@OpenLDAP.org>
Date: Tue, 20 Nov 2001 21:48:34 -0800
Cc: ietf-ldapext <ietf-ldapext@netscape.com>
In-reply-to: <3BFB06AD.1080907@netscape.com>
References: <5.1.0.14.0.20011115181016.0178a880@127.0.0.1> <5.1.0.14.0.20011119205200.01760cf0@127.0.0.1>

At 05:43 PM 2001-11-20, Rob Weltman wrote:
>>> "Identities presented by a client as part of the authentication
>>> process may be mapped by the server to an arbitrary authorization
>>> identity.  The bind response control can be used to retrieve that
>>> AuthzID.
>>> For example, during client authentication with certificates...."
>>Identies presented .... mapped to ... arbitrary authorization identities.
>>                                                                     ^^^^
>>One of these is returned upon request.  [See below]
>  How about returning potentially more than one identity in the response control? That could be done by placing the authzId or authzIds in a sequence in the value part of the response control.
>  I have yet to see an example of that, while I have seen many cases where the response control with a single DN-valued authzId is extremely useful, but at least the control would allow for the possibility of multiple authzIds.

I'm concerned that this might not be enough, but the alternatives
I can think of off the top of my head are other issues.  I'll
to think about this a bit, chat with a couple of other folks,
and get back to you on this.

Given the I-D cut-off, for now, I suggest you leave the controlValue
syntax as is and state that the server "chooses" which to return.

>>>>Anyways, in regards to the your proxy I-D, I do have a couple
>>>>of quick comments:
>>>>- Can a client distinguish between "user not allowed to
>>>> assume asserted authzid" and "authzid has no rights to
>>>> perform operation"?
>>>No
>>I can see cases where it would be useful to distinguish
>>these cases, for example when used by an administrative
>>clients in testing access controls.
>  A server can support that by returning different human-readable result strings (but the same result code).

I'd prefer another resultCode be used indicate the "user
not allowed to assume asserted authzid".  One can add a
resultCode to LDAP easy enough.   You can borrow language
from the draft-zeilenga-ldap-cancel-xx.txt.  For name
and number, I suggest proxyAuthorizationNotAllowed (47).

>You're talking about debugging, not about a production environment.

I'm talking about an administrator debugging ACLs in a
production environments.  (I know of few deployments
where the administrator maintains a separate system
(or replica) solely for debugging purposes.)

References:
- Re: Please review proposals for LDAP controls
  - From: "Kurt D. Zeilenga" <Kurt@OpenLDAP.org>
- Re: Please review proposals for LDAP controls
  - From: "Kurt D. Zeilenga" <Kurt@OpenLDAP.org>
- Re: Please review proposals for LDAP controls
  - From: rweltman@netscape.com (Rob Weltman)

Prev by Date: New Contacts #2F0B
Next by Date: 늦어서 미안합니다
Index(es):
- Chronological
- Thread